The malware in question was harvesting passwords and financial information, and relaying that information to a server in Russia.
The malware in question was harvesting passwords and financial information, and relaying that information to a server in Russia.
Unfortunately, some energy companies appear to view insurance as a replacement for (rather than a supplement to) robust information security. Insurance companies who offer cyber security policies are increasingly turning down these potentially lucrative contracts due to the risk of a loss.
The "Olympic Games" hack involving Stuxnet showed the danger hackers pose to critical infrastructure. Even though Stuxnet was originally targeted at Iran's secretive nuclear program, the virus escaped into the wild and has been found in unrelated and surprising places.
Hopefully the refusal of cyber insurance will be a wake up call to energy and other infrastructure companies. Updates need to be applied, security needs to be designed in, and critical components may need to be separated from the network by an air gap.
Much of the information that is being reported has been sourced to a document that has been published on the Internet. At this point, Mt Gox has not validated the document, but many reports believe it to be genuine.
Reports have centered around a known weakness in the Bitcoin infrastructure, known as "malleability." In attacks based on malleability, hackers slightly vary the information in packets about legitimate transactions and flood the exchange with fraudulent information. The exchanges then need to validate every transaction to see which transactions are valid. Most exchanges have built in safeguards to deal with attacks based on malleability.
Serious allegations are being raised that fraud within Mt Gox may itself have been responsible for at least some of the loss. In 2012, Mt Gox reported about USD $380k in revenue. But in 2013, the company had to pay out a USD $5 million fine. Financial reporters are not clear on how Mt Gox was able to keep its doors open after this fine, but there are several reports of slow payments after the fine was paid. Financial reporters have noted that some consider this to be an early warning of a company doing business on a fraudulent basis.
At the very least, it appears clear that Mt Gox continued to do business even after discovering that it was vulnerable to a hacking attack.
Fortunately, the virus can be blocked by following good WiFi security practices. Unfortunately, many WiFi networks are not set up in a secure way.
Fortunately, the steps to secure a home WiFi network are not particularly difficult:
Beyond securing your own routers, you need to keep in mind that public routers may also have been infected. There are some steps you can take to protect yourself when connecting to public WiFi routers. Be aware that public networks are by definition insecure, whether WiFi or wired. There is little or nothing to stop a miscreant from trying to snoop your connection.
While researching the whitepaper, Websense used their methodology to identify a new targeted attack against a mobile network provider and a government agency, and a new Zeus-based POS (Point of Sale terminal) attack.
Of course this is extortion. But Symantec estimates that 3% of victims pay up, which is enough to net the extortionists millions of dollars per month.
Recently, a law firm's entire store of legal files was encrypted and unable to be decrypted. Consider the potential implications of being legally responsible for these documents and being responsible for their destruction through negligence.
Removing the infection from the computer is relatively straightforward. There are free tools, such as this tool from Sophos. Alternatively, you can roll your system back using Windows System Restore, if you had enabled that feature before you were infected. Other, more intrusive methods may be needed, if these do not work. These tools can remove the infection, but decrypting the encrypted user files is not likely to be possible.
If your files have been encrypted, you are going to need to recover from backup. Once your PC has been disinfected, you can attempt to recover files from Shadow Volume Copies (which is part of Windows' System Restore). But you are most likely to be successful if you have been backing up to a system that did not allow the infected PC to overwrite your backups.
Fazio Mechanical, Target's HVAC vendor, had access to Target's network in order to monitor the temperatures in the stores and the health of the HVAC equipment. It is less clear why access was allowed with weak authentication, and why there was no network segmentation between the HVAC units and the POS terminals.
The only really sophisticated part of the attack was the memory-scraping software actually used in the POS terminals. The rest appears to have been a combination of standard attack methods.
One of the key user accounts used to consolidate and move data around Target's network was the "best1_user" account, which is an account name usually associated with the Performance Assurance for Microsoft Servers agent of BMC Software's Patrol product.
It appears that a SQL injection attack was a key part of compromising servers to place the malware and recover the stolen data.
Target has stated that it intends to invest heavily in chip card technology. This would help with "card present" attacks (ie attacks based on cloning a physical card), but would not do much for "card absent" attacks (where a purchase is made from a remote location).
The NHS reports that they have fixed the typos.
Some key issues to look at when moving an application to the cloud include:
A lot of the security scrutiny surrounding a cloud migration focuses on the security of the cloud provider's infrastructure itself. This is important, but the weaknesses that the software platform brings along with itself are almost certainly a bigger problem.
There is really very little incentive not to encrypt all traffic. There is a performance hit, but the only responsible way to avoid it would be do perform a close analysis of all data that would not be encrypted. Even when the analysis was complete, you can't guarantee that the program won't change in a few months (even assuming that nothing was missed in the analysis). There are a number of options for forcing encrypted traffic, including built-in capabilities in both Java and .NET to force use of SSL for web interactions.
Where programs have incorporated hard-coded IP addresses in code, there is some possibility that traffic would be delivered to entirely the wrong place in a hosted environment. This is especially the case for the standard ranges that are commonly used for internal IP addresses.
But the use of hostnames can also be problematic, since name lookup infrastructure is usually controlled by the outside vendor. (In any case, references to specific names should be contained within configuration files, not in the actual code source.)
Where possible, client-side SSL certificates can provide an extra layer of security, by providing assurance that the target side of the connection is actually the system that we are trying to contact.
Queries to databases can be encrypted during transmission by specifying SSL as the connection protocol in the JDBC driver or .NET connection.
Keep in mind that existing hard-coded encryption tokens, keys, etc may cause problems during application migration to the cloud. And if the same key is re-used in several contexts, the compromise of a single component can result in a broader compromise through the entire application or environment. It is important that encryption keys, tokens, etc be maintained outside of the code base itself, where they can be changed or updated as needed.
At the same time, it is important that logs be maintained and reviewed, just as they should be on an internal network. Given the potentially greater exposure of the data, log review procedures need a careful review as part of any application cloud deployment.
Evidently, this bug is active if not all eight user fields are populated by a configured userid and password. The flaw exists even on fairly recent versions of the webcam firmware.
Foscam, the camera vendor, has released a new firmware version and has provided common sense tips for securing the webcams. Since a reported 20% of these cameras use the default admin password, common sense tips are not out of place.
Because NTP uses UDP as its transport protocol, and because it responds to certain queries with larger amounts of data than is used to perform the query, an amplification attack can tremendously increase the amount of traffic hitting a DOS (Denial of Service) target. TCP-based services require a handshake with the initial sender before replying, and so are not easily usable for amplification attacks.
US CERT has posted resolution steps for admins of systems with this vulnerability. The Open NTP Project also provides a scanner to help identify vulnerable systems.
The malware itself grabbed the unencrypted data from memory during the period of time that it is unencrypted in order to allow authentication to take place. The data was then stored locally and transmitted to a compromised collection server on a scheduled basis.
Several security researchers have commented on how vociferously Target had insisted that the data on its hard drives had been encrypted using strong encryption. Memory scrapers are an attack vector that can bypass on-disk encryption techniques.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
...
It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.
Last week, Target admitted that its security breach compromised on the order of 110 million cards, which puts it in the top tier of such security breaches.
While the people responsible for the Target hack have not been identified, Krebs identified one person who has been selling credit card numbers that were stolen from Target.
UPDATE: CNET has an interesting article where Target describes the reasons for the delay in notification about a breach that was discovered on Dec 15. It amounts to "we were trying to get ready for the storm."
Microsoft announced that Windows XP Security Essentials will also not be available after XP is declared "unsupported" in April.
If Security Essentials is no longer available, other vendors are likely to also drop support for XP product lines. This may include vendors like anti-virus and other security software vendors.
If XP systems can be upgraded, they should be upgraded immediately. Systems that cannot be upgraded need to be protected by air gaps and firewall rules. Services on these systems should be limited to only those functions that cannot be migrated.
Even with these measures, there will be a lot of insecure, poorly managed systems in the global IT environment. Black hats are rubbing their hands in anticipation of the feast.
But if computers are driving cars, we have to take a serious look at information security in the context of a self-driving automobile. Unfortunately, most current automation does not have adequate safeguards to protect from malicious inputs.
In particular, components do not do checking or validation to make sure that commands are being issued from an appropriate source. Security researchers have demonstrated that they are able to issue commands to a Prius to control steering, braking, acceleration, and dashboard displays. They were also able to disable an Escape's brakes at slow speed.
Ford and Toyota both point out that the researchers were connecting directly to the car's CAN (Controller Area Network), which limits the impact of some of their demonstrations. But keep in mind that wireless controllers on on-board systems such as Bluetooth controllers on sound systems and telematics units on satellite roadside assistance services may provide an entry point into the automobile. Anywhere a wireless connection allows access to a component connected to a CAN is a possible entry point for malicious code.
The sorts of security measures we use for other network-connected items would still work inside a car. Provide air gaps between components that don't need to be connected. And provide for validation and authentication of commands from components that do need to be connected.
I remember discussions about PC security in the early days of the Internet, when most computer viruses were still spread by injudicious insertion of floppy disks. Way back when, we were told that PCs didn't need to have security programmed in from the ground up. I'm hoping we learn from the history of those poor decisions. A Blue Screen of Death is one thing, but a traffic fatality is another.